Supreme Court Casts Doubt On Whether Privacy Laws Control Retailers
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Remember all those privacy laws you thought you had to comply with? You know, laws ranging from the Fair Credit Reporting Act to health privacy laws to California’s Beverly-Song law that prohibits the collection of personal information during a credit card transaction? Well, a U.S. Supreme Court decision last Thursday (June 23) could be read to mean that all of these laws are unconstitutional and that the government may be without the ability to pass any of them.
This might return us to the “Wild West” days of selling personal information to anyone for any reason. Then again, it may not. But for now, at least, the case will provide something of a backstop legal defense to retailers that use personal information for marketing purposes when someone has not explicitly given their permission.
The case at hand involved a Vermont law that limited the use of information related to prescriptions. To get a prescription drug, you have to have, well, a prescription—a note from a real doctor telling the pharmacist that the doctor has permitted you to get the particular drug. In fact, federal law requires doctors to write prescriptions for certain drugs and pharmacies to maintain records of such prescriptions.
Pharmacies eventually learned that there’s gold in them thar prescription pads. Although information about patients might be protected by either privilege or statute, the information about the doctor is not. Data brokers quickly bought information from the pharmacies about which doctors were prescribing which drugs, how often and in what geographic area.
Data miners then licensed this data, crunched the numbers and leased the resulting information to pharmaceutical reps who could target doctors, hospitals or other practitioners based upon their prescribing habits. An entire business grew up around this secondary use of prescription information—not to fulfill the order (“fill the ‘scrip”) but to market to doctors.
Based upon complaints from privacy groups and doctors, Vermont passed a law prohibiting the use (misuse?) of this information for marketing purposes without the consent of the prescribing physician.
But last week, the U.S. Supreme Court decided that the Vermont statute infringed on the pharmaceutical companies’ (and their marketing components’) constitutionally protected free-speech rights to use the information collected at the pharmacy. The court ruled that this was impermissible “content-based” regulation of free speech and that the prohibition must be held to the highest standard of review, what the law calls “strict scrutiny.”
Unless the government can show both a compelling governmental interest in regulating this speech and that there is no less-intrusive means of achieving that interest, the “rights” of the marketers trumped the government’s interest in regulating—just as it ruled a few days later that the rights of videogame manufacturers to sell ultra-violent videogames to minors trumped the rights of the government to attempt to regulate such sales.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
